An Overview of Contactless ATM Security
Table of Contents
- How Do Contactless ATMs Work?
- What Makes Contactless ATMs Secure?
- Are Contactless ATMs Still Vulnerable to Fraud?
- Frequently Asked Questions
More than ever, consumers are flocking to technologies that let them keep their hands to themselves when they’re out in public. Contactless payments are on the rise, and now that we’re used to the idea of holding our phone in front of a scanner to pay for a cappuccino, we’re seeing an increase in more ambitious contactless payment systems—like contactless automated teller machines.
These ATMs are convenient and reduce the spread of germs, but they don’t rely on the same card-and-PIN security we’re used to seeing. What are the scams and fraud risks that contactless ATM operators need to know about?
Contactless payments have been around for a while, and they’ve seen a big boost in recent years as tech giants like Apple, Google, and Samsung have launched their own digital wallet apps and contactless payment platforms. Contactless payment systems have been designed around the premise that they’re most likely to be used for quick, low dollar amount transactions, like a cup of coffee or a newspaper.
Everybody appreciates a quick and hassle-free experience when it’s time to withdraw cash, so in that sense ATMs are a natural fit for contactless technology—but the dollar amounts often exceed the typical tap-to-pay transaction. That means higher withdrawal limits, and more incentive for fraudsters to find ways to exploit both the technologies and the consumer behaviors developing around these new payment systems.
The good news is that contactless technology is more secure, in many ways, than the physical safeguards that merchants and consumers relied upon for decades. However, experienced merchants know that good fraud protection isn’t a matter of crossing your fingers and hoping the odds are in your favor. It may be time to embrace contactless ATMs and other touchless payment systems, but we have to be clear-eyed about what sort of fraud might target these platforms.
How Do Contactless ATMs Work?
Most contactless ATMs use near-field (NFC) communication technology to send data between the merchant’s NFC-enabled terminal and the customer’s payment device. Depending on the particular method used, this can be the card itself, or more commonly, a smartphone with a compatible app installed. When the device is brought in close proximity to the terminal, it transmits the customer’s account information and other details needed to process the transaction. Apple Pay, Google Pay, and Capital One use this method. Other platforms, such as PayPal’s Paydiant, have an app that generates a QR code for the ATM to scan.
The customer may be required to authenticate the transaction by entering their PIN into the app on their own device, but they never have to touch any screens or buttons on the ATM itself.
Contactless ATMs are identified by stickers or symbols that identify the platforms they accept. Most large consumer banks offer contactless ATM banking in one form or another, either in partnership with a third-party platform or through their own in-house app and ATM network.
What Makes Contactless ATMs Secure?
For the most part, contactless ATMs use the same modern security protocols that protect physical EMV chip transactions—they only differ in the manner in which the customer provides their information to the ATM.
The strongest protection is the fact that two-factor authentication is built into most contactless ATM systems.
The customer has to have access to both their payment device and their banking login credentials, possibly including a PIN, in order to authenticate the transaction.
A fraudster who only has possession of one but not the other will have no luck stealing that customer’s money from a contactless ATM.
The data the customer’s payment device sends to the merchant’s terminal is tokenized—it does not contain the customer’s name, account number, or any other identifying information. What it consists of is encoded single-use data that will allow the merchant to authenticate and process the transaction. Even if a fraudster can hack into the merchant’s system to steal this data, there’s nothing they’ll be able to do with it.
Tokenization also means that there’s no risk of “skimmer” or “sniffer” devices that eavesdrop on contactless communications. These devices were originally built to clone magnetic stripe cards, which store the account number and other credentials as unencrypted data. Creating a device that could surreptitiously intercept NFC communications—let alone decode them—would be several orders of magnitude more difficult.
Are Contactless ATMs Still Vulnerable to Fraud?
Unfortunately, the strongest encryption and the most up-to-date anti-fraud protocols can’t protect anyone from some of the oldest and most basic forms of fraud. What contactless ATMs are most vulnerable to is account takeover fraud, where the fraudster has access to the victim's credentials, and can simply enter the correct username and password rather than trying to hack in or bypass authentication in some way.
As is the case with most modern forms of digital security, the weak point of the system is the person using it. Account owners themselves are a common point of entry for fraudsters, whether through phishing or by taking advantage of password re-use.
Fraudsters frequently send out phishing texts and emails designed to get unwary victims to give them access to their online banking accounts. If a stolen account comes with contactless ATM access, that’s a big score for the fraudster, who can get cold hard cash out of it with minimal effort.
Most people also re-use the same passwords for multiple accounts, in many cases having only a single password that they will use for any service that requires one. It's an unfortunately common occurrence for websites with low security to be compromised, leaking thousands if not millions of customer emails and passwords. Fraudsters frequently enter these leaked credentials into email accounts, banking websites, online payment platforms like PayPal, and pretty much anywhere else where account access would provide them some financial benefit. If a customer has re-used the same credentials and hasn't set up two-factor authentication, their account can be easily compromised.
While most contactless payment systems require two-factor authentication, in many cases login access to the banking website and/or the customer's email account can be used to authorize a new device.
Account takeover fraud can be difficult to guard against, because it tends to rely on a low-tech approach that’s extremely difficult to detect once successful—and also because the only person who can really protect the account is the account holder, not the merchant or ATM operator who winds up as a secondary victim of the fraudster.
There’s no reason to fear the “contactless” part of contactless payments and ATMs—while no system can be perfectly secured, and breaches are to some extent inevitable, all of the stakeholders behind these ventures know that they’ll only succeed if consumers are confident that they can use them safely—at least most of the time.
The key is to be aware of the shape and direction of the fraud threats you are likely to face. With up-to-date technology and the right safeguards in place, you can reduce your exposure to fraud and possibly avoid financial liability in certain circumstances. If you’re partnering with a fraud or chargeback management firm, they can help you come up with policies and procedures for contactless payments that will maximize your protection.
What banks use cardless ATM?
Do all ATMs support contactless cash?
Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: firstname.lastname@example.org